--- a
+++ b/.github/workflows/update-pledge.yml
@@ -0,0 +1,48 @@
+---
+name: "Create PR to update `bin/pledge`"
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron:  "33 2 * * *"
+
+jobs:
+  create_pr_to_update_pledge:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: opensafely-core/setup-action@v1
+        with:
+          install-just: true
+          python-version: "3.11"
+
+      - name: "Ensure `bin/pledge` is at latest version"
+        run: just update-pledge
+
+      - name: Generate app token
+        uses: actions/create-github-app-token@v1
+        id: generate-token
+        with:
+          app-id: 1031449  # opensafely-core Create PR app
+          private-key: ${{ secrets.CREATE_PR_APP_PRIVATE_KEY }}
+
+      - name: "Create a Pull Request if there are any changes"
+        id: create_pr
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
+        with:
+          add-paths: bin/*
+          branch: bot/update-pledge
+          base: main
+          author: "opensafely-github-bot <opensafely-github-bot@users.noreply.github.com>"
+          committer: "opensafely-github-bot <opensafely-github-bot@users.noreply.github.com>"
+          commit-message: "fix: Update `bin/pledge`"
+          title: "Update `bin/pledge`"
+          token: ${{ steps.generate-token.outputs.token }}
+
+      # The PR will still require manual approval, this just reduces it to a one-click process
+      - name: Enable automerge
+        if: steps.create_pr.outputs.pull-request-operation == 'created'
+        run: gh pr merge --auto --squash ${{ steps.create_pr.outputs.pull-request-number }}
+        env:
+          GH_TOKEN: ${{ steps.generate-token.outputs.token }}